Error: FAILED_INVALID_RESPONSE_RETURNED in SP Web Agent Option Pack

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

When running a Federation Service as Service Provider (SP) side, the SP-initiated requests fail with error 500 in the browser. The Federation Service returns an error:

affwebserv.log :

[9748/140064010385152][Tue Oct 08 2019 17:10:35][SSO.java]
[ERROR][sm-FedClient-02890] Transaction with ID: <Transaction ID> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED (, , )

FWSTrace.log

[Received the following response from SAML2 assertion generator: SAML2Response=NO.]

[Transaction with ID: <Transaction ID> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

[Denying request due to "NO" returned from SAML2 assertion generator.]

smtracedefault,log :

[Error in getting configuration data. Leaving Assertion Generator Framework. Exception:

java.lang.Exception: The Federation Web Service didn't send the request with a correct resource! Internal Exception:

javax.xml.bind.UnmarshalException: Unexpected element {http://www.w3.org/2000/09/xmldsig#}:Signature
at com.netegrity.SAML2Gen.impl.runtime.SAXUnmarshallerHandlerImpl.handleEvent(Unknown Source)

Environment

Policy Server 12.8SP6 on RedHat 8

Cause

Siteminder supports "Signed AuthnReqest" as a "Query Parameter" only (Redirect Binding), not as a part of AuthnRequest Element which is sent by a POST binding.

Here's the Assertion received when it fails by POST. The signature is inside the authnrequest assertion:

  <samlp:AuthnRequest
      ID="<value>"
      Version="2.0"
      IssueInstant="2019-10-08T15:10:23Z"
      Destination="https://myidp.example.com/affwebservices/public/saml2sso"
      ForceAuthn="false"
      IsPassive="false"
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      AssertionConsumerServiceURL="https://mysp.example.org/saml/myconsume.jsp"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      https://mysp.example.org
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
 <Reference URI="<value>">
   <Transforms>
     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
   <DigestValue>
     <value>
   </DigestValue>
 </Reference>
      </SignedInfo>
      <SignatureValue>
       Lon [...omitted for brevity...] g==
      </SignatureValue>
      <KeyInfo>
       <X509Data>
        <X509Certificate>
          MII [...omitted for brevity...] CA=
        </X509Certificate>
       </X509Data>
      </KeyInfo>
    </Signature>
  </samlp:AuthnRequest>

Resolution

Configure Redirect instead of POST. The data will be received as Query Parameters and it has the signature outside the Authnrequest and the request will succeed.